Security Bulletin: Postgresql JDBC drivers shipped with IBM Security Verify Access have a vulnerability (CVE-2022-41946)

Summary

Postgresql JDBC as shipped with IBM Security Verify Access has addressed a vulnerability that could allow a local authenticated attacker to obtain sensitive information.

Vulnerability Details

CVEID:CVE-2022-41946
**DESCRIPTION:**Postgresql JDBC could allow a local authenticated attacker to obtain sensitive information, caused by not limit access to created readable files in the TemporaryFolder. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240853 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

IBM encourages customers to update their systems promptly.

IBM Security Verify Access (Docker Container)

• Obtain the latest version of the container by running the command “docker pull icr.io/isva/verify-access:[tag]”

Where [tag] is the latest published version and can be confirmed here.

For the ISAM/ISVA appliances

• Obtain the latest version by obtaining the fix as shown below:

Affected Products and Versions

|

Fix availability

—|—

IBM Security Verify Access 10.0.0.0

|

10.0.6-ISS-ISVA-FP0000

Workarounds and Mitigations

None